Captive Portal + Voucher not keeping auto-added "Pass-through MAC Auto Entry"



  • Hello,

    I use pfsense 2.4.4_p3 with a captive portal config. But something seems to be not working as define into netgate documentation for
    creating a portal for BYOD (smartphones).
    I give one voucher code for each user and (one other at each time user bring a new device) when arrive into company.
    The voucher has a 5 minutes life.
    The configuration use Pass-through MAC Auto Entry to Enable because this function save MAC ADDRESS into portal database, so now, device is knowned and not require authentification. For my memory I create this configuration in pfsense 2.3 and it works.
    But now, after 5 minutes, the auto-insert line into MACs tab is auto deleted.

    My Config
    Firewall Rules:
    -> all allow to firewall & all allow to WEB

    Captive Portal Config:
    -> I let all default parameters except:
    #enable= true
    #interface= my interface
    #Pass-through MAC Auto Entry = true
    #Authentication Method : use an authentification backend
    #Authentification server = localdatabase
    #Voucher =enable
    I have created 10 vouchers of 2 minutes
    I check all vouchers into "Status\captive portal" before starting. All are OK.

    Process:
    Laptop connect on BYOD interface.
    I get IP by DHCP service, Portal web page openening.
    I put the first Voucher ID into the web page, connect.
    I'm connected to internet. Perfect.
    -> I look into Services/CaptivePortal/Myportal/MACs , I see the line 'Auto-added for voucher xxxxxxxxxx' with the device MAC address
    After 2 minutes, web access is removed for the device, the MACs line is autoremoved from database too.

    So, can you confirm that "Pass-through MAC Auto Entry" should keep MAC address detected without any duration, event if Voucher code has been used initialy.
    Is it a bug ?
    Have you a solution to "auto-learn" Mac address for BYOD after first connexion?

    Thank you for your help.
    Johan



  • Hi,

    Can you re test, and showing the Status > System Logs > Captive Portal Auth during login ?
    Also, what shows : Diagnostics >Backup & Restore > Config History ?

    According to https://github.com/pfsense/pfsense/blob/65db20674d716208e340b96471ff98d1bb0c957b/src/etc/inc/captiveportal.inc#L1068 some mac (users) are auto pruned = logged out.
    "Voucher" type logins should be excluded from this.



  • @Gertjan said in Captive Portal + Voucher not keeping auto-added "Pass-through MAC Auto Entry":

    "Voucher" type logins should be excluded from this.

    Well ....
    I activated Vouchers. Added a voucher roll with "5 minute duration", and activated :

    27779f5f-a666-421f-b022-134dbf5574a4-image.png

    I used a voucher to login, that was successful.
    It was added to the Services > Captive Portal > [ZONE] > MACs tab with an "Auto-added for voucher ...." description line.

    and I toke a coffee break for 5 minutes.

    Guess what ? The Diagnostics >Backup & Restore > Config History page confirmed that

    d264e96a-cfa3-4ae0-9259-9fafb29d41fa-image.png

    was executed (several times).

    My voucher had expired .... WTF, and the auto added MAC on the Services > Captive Portal > [ZONE] > MACs had disappeared also 👎
    So, @Johan35, you're right.

    I went back to the drawing board, it's here https://github.com/pfsense/pfsense/blob/65db20674d716208e340b96471ff98d1bb0c957b/src/etc/inc/captiveportal.inc#L1068 - the function captiveportal_prune_old_automac().

    Check out the main foreach loop on line 1076 (2019-11-28).
    There are 3 "if" blocks.
    The first one, the test where 'logintype' is not "voucher" test, this one handles all manually added MAC's by the admin, they should be kept in place - not pruned. This part is ok.
    The second if : this part handles the case where the voucher is used again using another device (another MAC). This part is, ok.
    It's the third if block. The MAC is removed if the time has expired ..... that's dead wrong.
    There is no need to test for expired vouchers here, using the function voucher_auth(). That's already being taken care of in the caller function, the main captiveportal_prune_old().

    Consider this : MAC entries on the Services > Captive Portal > [ZONE] > MACs page that are auto added using the " Pass-through MAC Auto Entry - Enable Pass-through MAC automatic additions" setting should NOT be pruned from the MAC list when they are expired.

    The (my) solution is easy :

    Comment out this block of code :

    			if (voucher_auth($emac['username']) <= 0) {
    				$pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']);
    				if ($pipeno) {
    					captiveportal_free_dn_ruleno($pipeno);
    					$macrules .= "table {$cpzone}_pipe_mac delete any,{$emac['mac']}\n";
    					$macrules .= "table {$cpzone}_pipe_mac delete {$emac['mac']},any\n";
    					$macrules .= "pipe delete {$pipeno}\n";
    					++$pipeno;
    					$macrules .= "pipe delete {$pipeno}\n";
    				}
    				$writecfg = true;
    				captiveportal_logportalauth($emac['username'], $emac['mac'],
    				    $emac['ip'], "EXPIRED {$emac['username']} LOGIN - TERMINATING SESSION");
    				unset($config['captiveportal'][$cpzone]['passthrumac'][$eid]);
    			}
    

    like this :

    /* commented out			
    			if (voucher_auth($emac['username']) <= 0) {
    				$pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']);
    				if ($pipeno) {
    					captiveportal_free_dn_ruleno($pipeno);
    					$macrules .= "table {$cpzone}_pipe_mac delete any,{$emac['mac']}\n";
    					$macrules .= "table {$cpzone}_pipe_mac delete {$emac['mac']},any\n";
    					$macrules .= "pipe delete {$pipeno}\n";
    					++$pipeno;
    					$macrules .= "pipe delete {$pipeno}\n";
    				}
    				$writecfg = true;
    				captiveportal_logportalauth($emac['username'], $emac['mac'],
    				    $emac['ip'], "EXPIRED {$emac['username']} LOGIN - TERMINATING SESSION");
    				unset($config['captiveportal'][$cpzone]['passthrumac'][$eid]);
    			}
    end commented out */
    
    

    I tested this. It works now, Auto added MAC (when logged in) stay in place.
    No matter if it concerns vouchers or classic user/password logins.

    edit : @free4, if you have 5 minutes, can you check my reasoning ? I know you know you way around in /etc/inc/captiveportal.inc very well.



  • Hello Gertjan,

    Thanks for your help.
    Regarding your process, it's totally logical and your proposal works like a charm . I don't see any "lateral" effects on my TEST Portal.
    So you are a chief and you save my day!

    Finally, I will test this code tonigth into PROD portal (after working hours) :

    if (voucher_auth($emac['username']) <= 0) {
    				/* Not removing MAC ADDRESS
    				$pipeno = captiveportal_get_dn_passthru_ruleno($emac['mac']);
    				if ($pipeno) {
    					captiveportal_free_dn_ruleno($pipeno);
    					$macrules .= "table {$cpzone}_pipe_mac delete any,{$emac['mac']}\n";
    					$macrules .= "table {$cpzone}_pipe_mac delete {$emac['mac']},any\n";
    					$macrules .= "pipe delete {$pipeno}\n";
    					++$pipeno;
    					$macrules .= "pipe delete {$pipeno}\n";
    				}
    				$writecfg = true; 
    				end commented out */
    				captiveportal_logportalauth($emac['username'], $emac['mac'],
    				    $emac['ip'], "EXPIRED {$emac['username']} LOGIN - TERMINATING SESSION");
    				unset($config['captiveportal'][$cpzone]['passthrumac'][$eid]);
    			}
    

    As I'm not totally sure of what happend with unset, I let it and will test .

    Anyway, it was a great help, thanks for all !
    I will report it as a bug .

    Johan



  • @Johan35 said in Captive Portal + Voucher not keeping auto-added "Pass-through MAC Auto Entry":

    As I'm not totally sure of what happend with unset

    Comment out as I did : the entire "if" block.
    Not some part of it.

    The unset will destroy the in memory config(xml) and when written out to disk later on by some other condif update, your auto-added MAC will get removed from the list.




Log in to reply